Title: National Information Assurance Program Common Criteria Evaluation and Validation Scheme
1National Information Assurance ProgramCommon
Criteria Evaluation and Validation Scheme
- Jean H. Schaffer
- NIAP CCEVS / NSA V13
- (410) 854-4458
2National Information Assurance Partnership
Partnership to meet the security testing needs of
IT producers
3Common Criteria Evaluation and Validation Scheme
(CCEVS)
- Objective
- Test Security Properties of Commercial Products
- Approach
- Tests performed by Accredited Commercial
Laboratories - Validity/Integrity of results underwritten by
NIAP - Results posted for public access
4Common Criteria Evaluation and Validation Scheme
(CCEVS)
- Evaluates conformance of the security features of
IT products to the International Common Criteria
(CC) for Information Technology Security
Evaluation. - Issues Certificates to vendors
- for successful completion
- of evaluations.
- Not an NSA or NIST endorsement
- Not a statement about
- goodness of product
5U.S. Approved Common Criteria Testing
Laboratories
- Cable Wireless Systems Columbia, Maryland
- Booz, Allen Hamilton Linthicum, Maryland
- COACT, Inc. Columbia, Maryland
- Computer Sciences Corp. Annapolis Junction,
MD - CygnaCom Solutions, Inc. McLean, Virginia
- InfoGard Laboratories, Inc San Luis Obispo,
CA - Science Applications Intl Corp. Columbia, MD
- .. More Applicants Received
6Common Criteria Recognition Arrangement (CCRA)
Expressed Interest
US
Canada
UK
Germany
France
Australia/New Zealand
Netherlands
Finland
Italy
Norway
Spain
Israel
Greece
Sweden
Austria
Russia
Japan
South Korea
7Common Criteria The International Standard
- What the standard is
- Common structure and language for expressing
product/system IT security requirements (Part 1) - Catalog of standardized IT security requirement
components and packages (Parts 2 and 3) - How the standard is used
- Develop protection profiles and security targets
-- specific IT security requirements and
specifications for products and systems - Evaluate products and systems against known and
understood IT security requirements
8Common Criteria Sections
- Part 1 Introduction and General Model
- Part 2 Security Functional Requirements and
Annexes - Part 3 Security Assurance Requirements
9Protection Profiles
- Answers the question
- What do I need in a security solution?
- Implementation independent
- Multiple implementations may satisfy PP
requirements - Authors can be both consumers and producers of IT
products and systems
10Security Targets
- Answers the question
- What do you provide in a security solution?
- Implementation dependent/specific
- Authors can be product vendors, product
developers, or product integrators
11UNCLASSIFIED
Evaluation Process Summary
VALIDATION
- Oversee- Review- Validate
EVALUATION
Commercial Evaluation Facility
- Analyze - Test - Document - Report
12http//niap.nist.gov//cc-scheme
13Governing Policies
14- NSTISSP No. 11
- National Policy Governing the Acquisition of
Information Assurance (IA) and IA-Enabled
Information Technology Products that protect
national security information. - Effective 1 July 2002, all COTS IA and IA-Enabled
products must be evaluated by - International Common Criteria Mutual Recognition
Arrangement - NIAP Evaluation and Validation Program (CCEVS)
- NIST FIPS validation program
15- NSTISSP No. 11 (cont.)
- The evaluation/validation of COTS IA and
IA-enabled products will be conducted by
accredited commercial laboratories, or the NIST. - All GOTS IA or IA enabled products must be
evaluated by NSA or an NSA approved process.
16- National Information Assurance Acquisition
Policy, dated 6 Aug 2002 (Guthrie Memo) - If Government Protection Profile (PP) exist,
products must get evaluated against PP. - Minimum EAL2 for products with no PP.
- If product has not been evaluated yet, as
condition of purchase, vendor must commit to
having their product evaluated. - Contracts shall specify product validation will
be kept current via the NIAP Assurance
Maintenance Program. - Superseded by DODI 8500.2
17- DOD Directive 8500.1, 24 OCT 2002
- All IA or IA-enabled products incorporated into
DoD information systems must comply with NSTISSP
11 - Products must be satisfactorily evaluated and
validated either - prior to purchase or
- If product has not been evaluated yet, as
condition of purchase, vendor must commit to
having their product evaluated. - Purchase contracts shall specify that product
validation will be maintained for subsequent
releases.
18- DOD INSTRUCTION 8500.2 12 FEB 2003
- Defines generic robustness levels of basic,
medium, and high and assigns baseline levels of
IA services dependent on value of information and
environment - If Government Protection Profile (PP) exist for a
specific technology area - products must get evaluated against PP.
- If no Government PP exist for a specific
technology area - as a condition of purchase, products must be
submitted for evaluation at the appropriate EAL
level as determined by ISSE and DAA.
19Public Law 107-314, 2 DEC 2002
- Passed by House Armed Services part of Defense
Authorization Bill - Subtitle F Information Technology, Section 352
- Directs that Secretary to establish a policy to
limit the acquisition of information assurance
technology products that have been evaluated and
validated in accordance with appropriate
criteria, schemes, or programs. Authorizes the
Secretary to waive such policy for U.S. national
security purposes.
20- NIST Special Pub 800-23
- Applies to U.S. Civil Government
- Recommends CC evaluations/validations
21- National Strategy to Secure Cyberspace
- To enhance procurement of more secure IT
products, the Federal Govt, by 4Q FY03, will
complete a comprehensive program performance
review of the NIAP to determine - Cost effectiveness
- Targets a clearly identified security gap
- Has defined goals to close the gap
- Whether it is achieving these goals
- Whether program improvements, streamlining, or
expansion are appropriate and cost effective
22QUESTIONS ?
- Review of Common Criteria (CC)
- Important Web Sites
- CCEVS http//niap.nist.gov/cc-scheme
- Common Criteria http//commoncriteria.org
- NSTISSP No. 11 http//www.nstissc.gov/html/library
.html - Validated Products http//niap.nist.gov/cc-scheme/
Validated Products.html - Protection Profiles http//niap.nist.gov/cc-scheme
/PP
The National Information Assurance Partnership /
Common Criteria Evaluation and Validation Scheme
23Contact Information
For further information contact Jean H.
Schaffer National Security Agency 9800 Savage
Road, STE 6740 Fort George G. Meade, MD
20755-6740 jhschaf_at_missi.ncsc.mil phone
(410) 854-4458 http//niap.nist.gov/cc-scheme
fax (410) 854-6684